Last active
June 23, 2022 17:51
-
-
Save hoegaarden/dd9234ce72009f4df245b4807ec5c762 to your computer and use it in GitHub Desktop.
UAA LDAP auth ops file: Can we use this ops file to configure the UAA that comes with concourse to talk to LDAP?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Configure UAA to talk to LDAP | |
| - type: replace | |
| path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/ldap? | |
| value: | |
| # description: "Set to true to enable LDAP" | |
| # default: false | |
| enabled: true | |
| # description: | | |
| # If the LDAP configuration has `override: false` set, the LDAP values will only be stored | |
| # in the database if the LDAP has not been configured yet. | |
| # If property is omitted, the default is override: true | |
| override: true | |
| # description: "The file to be used for configuring the LDAP authentication. Options are: 'simple-bind', 'search-and-bind', 'search-and-compare'" | |
| # default: search-and-bind | |
| profile_type: search-and-bind | |
| # description: "The URL to the ldap server, must start with ldap:// or ldaps://. Allows multiple servers to be specified, space separated" | |
| # example: ldap://localhost:389 ldaps://secure.host:636 | |
| url: ((ldap_proto_and_host)) | |
| ## # description: "Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search." | |
| ## userDNPattern: | |
| ## # description: "The delimiter character in between user DN patterns for simple-bind authentication" | |
| ## # default: ";" | |
| ## userDNPatternDelimiter: | |
| # description: "Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information. " | |
| userDN: ((ldap_bind_dn)) | |
| # description: "Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information." | |
| userPassword: ((ldap_bind_pw)) | |
| # description: "Used with search-and-bind and search-and-compare. Define a base where the search starts at." | |
| # default: "" | |
| searchBase: ((ldap_user_search_base_dn)) | |
| # description: "Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}" | |
| # default: "cn={0}" | |
| searchFilter: ((ldap_user_search_filter)) | |
| ## # description: "Used with search-and-compare only. The name of the password attribute in the LDAP directory" | |
| ## # default: "userPassword" | |
| ## passwordAttributeName: | |
| ## # description: "Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server." | |
| ## # default: "true" | |
| ## localPasswordCompare: | |
| ## # description: "Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory." | |
| ## # default: "org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator" | |
| ## passwordEncoder: | |
| # description: "Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection." | |
| sslCertificate: ((ldap_ca_cert)) | |
| ssl: | |
| # description: "Set to true, and LDAPS connection will not validate the server certificate." | |
| # default: false | |
| skipverification: ((ldap_insecure_skip_verify)) | |
| ## # description: "If using StartTLS, what mode to enable. Default is none, not enabled. Possible values are none, simple" | |
| ## # default: none | |
| ## ssl.tls: | |
| # description: "The name of the LDAP attribute that contains the users email address" | |
| # default: mail | |
| mailAttributeName: ((ldap_user_search_email_attr)) | |
| ## # description: "Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication" | |
| ## # default: '' | |
| ## mailSubstitute: | |
| ## # description: "Set to true if you wish to override an LDAP user email address with a generated one" | |
| ## # default: false | |
| ## mailSubstituteOverridesLdap: | |
| ## # description: | | |
| ## # Configures the UAA LDAP referral behavior. The following values are possible: | |
| ## # - follow -> Referrals are followed | |
| ## # - ignore -> Referrals are ignored and the partial result is returned | |
| ## # - throw -> An error is thrown and the authentication is aborted | |
| ## # Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html | |
| ## # default: follow | |
| ## referral: | |
| groups: | |
| # description: "What type of group integration should be used. Values are: 'no-groups', 'groups-as-scopes', 'groups-map-to-scopes'" | |
| # default: "no-groups" | |
| profile_type: groups-map-to-scopes | |
| # description: "Search start point for a user group membership search, and sequential nested searches.. You can set this value to 'memberOf' when using Active Directory and skip group search but use the calculated memberOf field on the user records. No nested search will be performed." | |
| # default: "" | |
| searchBase: ((ldap_group_search_base_dn)) | |
| ## # description: "Used with groups-as-scopes, defines the attribute that holds the scope name(s)." | |
| ## # default: spring.security.ldap.dn | |
| ## groupRoleAttribute: | |
| # description: "Search query filter to find the groups a user belongs to, or for a nested search, groups that a group belongs to" | |
| # default: "member={0}" | |
| groupSearchFilter: ((ldap_group_search_filter)) | |
| # description: "Boolean value, set to true to search below the search base" | |
| # default: "true" | |
| searchSubtree: ((ldap_group_search_subtree)) | |
| # description: "Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)" | |
| # default: "1" | |
| maxSearchDepth: ((ldap_group_search_depth)) | |
| ## # description: "Sets the whitelist of emails domains that the LDAP identity provider handles" | |
| ## # example: | |
| ## # - whitelist-domain1.org | |
| ## # - whitelist-domain2.org | |
| ## emailDomain: | |
| ## # description: "Specifies how UAA user attributes map to LDAP attributes. given_name, family_name, and phone_number are UAA user attributes, while other attributes should be included using the prefix `user.attribute`" | |
| ## # example: | |
| ## # given_name: givenName | |
| ## # family_name: sn | |
| ## # phone_number: telephoneNumber | |
| ## # user.attribute.name-of-attribute-in-uaa-id-token: name-of-attribute-in-ldap-record | |
| ## # user.attribute.name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-ldap-record | |
| ## attributeMappings: | |
| ## # description: "Stores custom attribute mappings from the attributeMappings configuration in the database so that they can be retrieved using the /userinfo endpoint" | |
| ## # default: true | |
| ## storeCustomAttributes: | |
| ## # description: "Whitelist of external groups from LDAP that get added as roles in the ID Token" | |
| ## # example: | |
| ## # - admin | |
| ## # - user | |
| ## externalGroupsWhitelist: | |
| # description: "If set to false, only users pre-populated in the UAA user database will be allowed to authenticate via LDAP. If set to true, any user from LDAP will be allowed to authenticate and an internal user will be created if one does not yet exist." | |
| # default: true | |
| add_shadow_user_on_login: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment